The Apache web server can display the contents of directories to users when there is no default index file (such as index.html) present. This feature is managed by the mod_autoindex module. When the directory listing is enabled, if a user accesses a directory without an index file, they will see a list of files and folders within that directory.

Common default index files include:index.html, index.htm, index.php, and welcome.html. These can be configured in DirectoryIndex directive within the Apache configuration file.

While directory listing can be useful for openly sharing files, it might inadvertently expose sensitive files or the server's directory structure. To improve security, it's recommended to disable this feature. In this guide, we'll explore three primary methods to achieve this in Apache:

For those using platforms like cPanel, there are platform-specific methods to disable Apache's directory listing.

Disable Apache directory listing by disabling autoindex module

A direct approach is to deactivate the mod_autoindex module. Note that this will affect all sites hosted on the server.

  1. Launch your preferred terminal application.
  2. Disable autoindex module for Apache.
    $ sudo a2dismod --force autoindex # Ubuntu, Debian and SUSE
    Module autoindex disabled.
    To activate the new configuration, you need to run:
      systemctl restart apache2
    • Distributions with a2dismod support can simply run the command above without having to manually disable the required modules.
    • LoadModule directive for the corresponding autoindex module need to be manually disabled by removing or commenting (by adding # at the beginning) the line in the configuration file.
    Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp
    a2dismod support yes yes no no no no
    Modules to uninstall none
    Module name n/a autoindex
    Loadmodule directive n/a #LoadModule autoindex_module <module_locations>/
  3. Restart Apache for the changes to take effect.

Disable Apache directory listing via Directory's Options directive

You can specifically deny directory listings by adding -Indexes to the Options directive within Apache's configuration file.

  1. Open Apache's configuration file using your preferred text editor.
    $ sudo vi /etc/apache2/other/mysite.conf

    The configuration could be set globally or from within VirtualHost configuration.

  2. Find the Options line within the Directory blockock.
    <Directory /var/www/mysite>
        Options Indexes FollowSymLinks
  3. Remove Indexes option or add -Indexes to Options directive.
    <Directory /var/www/mysite>
        Options -Indexes FollowSymLinks

    Notice that it's -Indexes and not +Indexes

  4. Save and exit the editor
  5. Restart the Apache service to apply changes.

Disable Apache directory listing using .htaccess

If you don't have root access or prefer to control directory listing for specific directories, utilize the .htaccess file:

  1. Navigate to the directory where you want to disable directory listing.
  2. Open or create .htaccess file on the directory using your preferred text editor.
    $ sudo vi /var/www/mysite/.htaccess
  3. Add -Indexes to Options directive in the .htaccess file.
    Options -Indexes

    Ensure that the Apache configuration allows the use of .htaccess files by checking the AllowOverride directive is set to All or at least Options for the relevant directory.

  4. Save and exit the editor.
  5. Restart Apache to apply the changes.
    $ sudo systemctl restart apache2
Discuss the article:

Comment anonymously. Login not required.